CNSE 4.1 Exam Preparation GuideV3.pptx - Palo Alto Networks
CNSE 4.1 Exam Preparation GuideV3.pptx - Palo Alto Networks
CNSE 4.1 Exam Preparation GuideV3.pptx - Palo Alto Networks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> <strong>CNSE</strong> <strong>4.1</strong><br />
<strong>Exam</strong> <strong>Preparation</strong> Guide<br />
<strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> Education<br />
V.3
Additional Study Documents and White Papers<br />
There is a companion pack of support documents that are to<br />
be distributed with this <strong>CNSE</strong> <strong>4.1</strong> <strong>Exam</strong> <strong>Preparation</strong> Guide.<br />
References to these related documents will be made in red<br />
text throughout this guide.<br />
The document pack in entitled “<strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> <strong>CNSE</strong><br />
Tech Notes 2012”; it can be obtained from the same source<br />
as this <strong>CNSE</strong> study guide.<br />
Page 2 |<br />
© 2012 <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong>. Proprietary and Confidential <strong>4.1</strong>
General Advice<br />
• 100 multiple-choice/multiple select questions in 2.5 hours. You can go back to<br />
previous questions, to change your answer if necessary.<br />
• Passing score is 60%<br />
• You need to have been working with the PA firewalls in order to get a<br />
respectable score on the test. Make sure you have completed at least one tapmode<br />
install (see this doc for steps):<br />
Tech Note - PAN tap mode install.pdf<br />
and one Layer3 install with NAT:<br />
Tech Note - PAN_L3-Config guide.pdf<br />
• When a how-to doc is listed here, it is highly recommended that you not only<br />
read that doc, but actually go through the steps and perform the setup in that<br />
doc (using PAN-OS <strong>4.1</strong> of course)<br />
• Additional reference documents include the <strong>4.1</strong> Admin Guide:<br />
<strong>4.1</strong>_admin_guide (_beta).pdf<br />
• and the CLI guide:<br />
PAN-OS_<strong>4.1</strong>_CLI_Reference_Guide.pdf<br />
Page 3 |
Major <strong>Exam</strong> Topics<br />
• Administration & Management<br />
Page 4 |<br />
- Device configuration, commit workflow<br />
• Network Architecture:<br />
- NAT, Packet Flow, SP3<br />
• Security Policies/Profiles<br />
- WildFire, URL-Filtering, DLP<br />
• User-ID<br />
- User-ID Agent, Captive Portal<br />
• IPsec VPN<br />
- Configuring route-based site-to-site connectivity<br />
• SSL Decryption<br />
- Inbound and outbound, SSHv2, certificates<br />
• High Availability:<br />
- Active/Passive, Active/Active<br />
• Troubleshooting<br />
- Connectivity, Panorama, NAT, VPN<br />
• GlobalProtect<br />
- SSL VPN, Certificates, HIP Profiles, HIP matches<br />
• Panorama<br />
- configuration management, commit workflow, pre and post policy, device groups, shared objects<br />
and device group objects<br />
© 2012 <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong>. Proprietary and Confidential <strong>4.1</strong>
PA appliances as of PAN-OS <strong>4.1</strong>: 4000, 2000, 500 Series<br />
PA-‐4060<br />
• 10 Gbps FW<br />
• 5 Gbps threat preven2on<br />
• 2,000,000 sessions<br />
• 4 XFP (10 Gig) I/O<br />
• 4 SFP (1 Gig) I/O<br />
PA-‐2050<br />
• 1 Gbps FW<br />
• 500 Mbps threat preven2on<br />
• 250,000 sessions<br />
• 16 copper gigabit<br />
• 4 SFP interfaces<br />
Page 5 |<br />
PA-‐4050<br />
• 10 Gbps FW<br />
• 5 Gbps threat preven2on<br />
• 2,000,000 sessions<br />
• 16 copper gigabit<br />
• 8 SFP interfaces<br />
PA-‐2020<br />
• 500 Mbps FW<br />
• 200 Mbps threat preven2on<br />
• 125,000 sessions<br />
• 12 copper gigabit<br />
• 2 SFP interfaces<br />
PA-‐4020<br />
• 2 Gbps FW<br />
• 2 Gbps threat preven2on<br />
• 500,000 sessions<br />
• 16 copper gigabit<br />
• 8 SFP interfaces<br />
PA-‐500<br />
• 250 Mbps FW<br />
• 100 Mbps threat preven2on<br />
• 50,000 sessions<br />
• 8 copper gigabit
PA appliances as of PAN-OS <strong>4.1</strong>: PA-5000 Series<br />
PA-5060<br />
• 20 Gbps FW<br />
• 10 Gbps threat prevention<br />
• 4 Gbps IPSec VPN<br />
• 20,000 SSL VPN Users<br />
• 4,000,000 sessions<br />
• Up to 225 VSYS<br />
(4) SFP+ (10 Gig) I/O<br />
• (8) SFP (1 Gig) I/O<br />
• (12) 10/100/1000<br />
Page 6 |<br />
© 2012 <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong>. Proprietary and Confidential.<br />
PA-5050<br />
• 10 Gbps FW<br />
• 5 Gbps threat prevention<br />
• 4 Gbps IPSec VPN<br />
10,000 SSL VPN Users<br />
• 2,000,000 sessions<br />
• Up to 125 VSYS<br />
• (4) SFP+ (10 Gig) I/O<br />
• (8) SFP (1 Gig) I/O<br />
• (12) 10/100/1000<br />
• Hot swappable fans, power supplies<br />
• Dual, solid state hard drives<br />
• Dedicated HA and management interfaces<br />
• 2U standard rack mount form factor<br />
PA-5020<br />
• 5 Gbps FW<br />
• 2 Gbps threat prevention<br />
• 2 Gbps IPSec VPN<br />
5,000 SSL VPN Users<br />
• 1,000,000 sessions<br />
• Up to 20 VSYS<br />
• (8) SFP (1 Gig) I/O<br />
• (12) 10/100/1000
PA Appliances as of PAN-OS <strong>4.1</strong>: 200 Series<br />
Page 7 |<br />
• 100 Mbps firewall throughput (App-ID enabled 1 )<br />
• 50 Mbps threat prevention throughput<br />
• 50 Mbps IPsec VPN throughput<br />
• 64,000 max sessions<br />
• 1,000 new sessions per second<br />
• 25 IPsec VPN tunnels/tunnel interfaces<br />
• 25 SSL VPN Users<br />
• 3 virtual routers<br />
• 10 security zones<br />
• 250 max number of policies<br />
© 2012 <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong>. Proprietary and Confidential <strong>4.1</strong>
Five Physical Interface Types:<br />
1. Tap mode interfaces simply listen to a span/mirror port of a switch<br />
2. Virtual wire<br />
- EXACTLY two interfaces, what comes in one, goes out the other<br />
- Can be any combo (copper-copper, fiber-fiber, copper-fiber)<br />
- no MAC address or IP addresses on the interfaces<br />
- the device is still a stateful firewall and can block traffic<br />
3. L2<br />
- multiple interfaces can be configured into a “virtual-switch” or VLAN in L2<br />
mode. L2 Interfaces do not participate in STP, as Spanning Tree Protocol<br />
is not supported<br />
4. L3<br />
- IP address is required, all layer-3 operations available.<br />
5. HA (on all devices except the 4000 and 5000 series, you must configure two<br />
traffic ports as the HA ports)<br />
Note that all interfaces, regardless of type, can be simultaneously supported.<br />
Page 8 |
Logical Interfaces Supported<br />
• Subinterfaces (802.1q)<br />
- Up to 4094 VLAN supported per port<br />
- Max of 4094 VLANs per system<br />
• Aggregate interfaces (802.3ad)<br />
- Only on PA-4000 and PA-5000 series<br />
- Up to 8 physical 1 Gig interfaces can be placed into an aggregate<br />
group<br />
- Up to 8 aggregate groups are supported per device<br />
- Each interface in a group must be the same physical media (all<br />
copper, or all fiber)<br />
• Tunnel interfaces- for IPSec or SSL VPNs<br />
• Loopback interfaces<br />
Page 9 |
Multicast Support<br />
• Support for Multicast Filtering<br />
- available in Virtual Wire and L3<br />
- multicast IP addresses can now be used in firewall rules used with<br />
Virtual Wires and L3<br />
• Multicast routing is supported in PAN-OS <strong>4.1</strong> for PIM-SM sparse mode<br />
and IGMP protocols.<br />
• Additional information can be found in the following support document:<br />
<strong>Palo</strong><strong>Alto</strong><strong>Networks</strong>_DesignGuide_RevA.pdf<br />
Page 10 |
Available Features in Different Interface Modes<br />
Page 11 |<br />
Vwire<br />
L2<br />
L3<br />
- No VPN<br />
- No "auto" setting for HA passive link<br />
- No VPN<br />
- No NAT (FYI in PAN-OS <strong>4.1</strong> you can do NAT in Vwire mode)<br />
- No "auto" setting for HA passive link<br />
- If IPv6 is passing, security policies can be written for this traffic<br />
- No Multicast support<br />
- If IPv6 is passing, security policies can be written for this traffic
Interface Management<br />
• An interface management profile specifies which protocols can be used to<br />
manage the firewall.<br />
• Management profile can be assigned to:<br />
- L3 interfaces<br />
- Loopback interfaces<br />
- VLAN interfaces<br />
• Configured under Network tab -> Network Profiles ->Interface Management<br />
Page 12 |
Device Management<br />
• Managing the firewall (via GUI, SSH, etc.) is performed via the MGT<br />
interface on the PAN by default.<br />
• You can specify different physical interfaces to use for specific<br />
management services via Device tab -> Setup -> Service Route<br />
Configuration.<br />
Page 13 |
Application Identification<br />
• App-ID provides the ability to identify applications and application<br />
functions. App-ID is a core function of the <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> device.<br />
• App-ID uses various methods to determine what exactly is running in<br />
the session:<br />
- Protocol decoders<br />
- Protocol decryption<br />
- Application signatures<br />
- Heuristics are used when the above methods can not identify the<br />
application. This is the method by which applications such as the<br />
proprietarily-encrypted BitTorrent and UltraSurf are identified<br />
• App-ID even works in these scenarios:<br />
Page 14 |<br />
- If the application is running on a different port than expected<br />
- If the application is being transmitted in an SSL tunnel (the firewall can<br />
forward proxy the SSL connection) or if it employs SSHv2<br />
- If the application is going through an HTTP proxy
Application Selection Window<br />
Within each policy, you can specify what applications you want to control. You can<br />
specify individual applications, or groups of applications. Some applications, such<br />
AIM instant messenger and Facebook, give you control over specific functions.<br />
Applications with Application Function Control are represented hierarchically.<br />
Page 15 |<br />
© 2012 <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong>. Proprietary and Confidential <strong>4.1</strong><br />
Dynamic Filter<br />
Individual<br />
Application<br />
Static Group
Dynamic Application Filters<br />
• A dynamic application filter is configured by specifying particular criteria.<br />
• The example below is a dynamic filter of all browser-based file-sharing<br />
apps.<br />
• Advantage of dynamic application filters: any new applications that fit into<br />
those categories will automatically be added to that dynamic filter.<br />
Page 16 |
Application Groups and Application Filters<br />
• Applications Groups are static. Applications are manually added and<br />
maintained by firewall administrators.<br />
• Applications Filters are dynamic. Applications are filtered by traits such as risk,<br />
subcategory, technology, characteristic, etc.<br />
• If you create an Application Filter on a specific criteria, such as the<br />
subcategory of games’, it will include all applications which are defined as a<br />
game. Any new games defined by an APP-ID signature will automatically be<br />
included as part of this filter.<br />
Page 17 |<br />
© 2012 <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong>. Proprietary and Confidential <strong>4.1</strong>
Security Policy Operation<br />
• All traffic flowing from one security zone to another security zone requires a policy to<br />
allow the traffic<br />
• The policy list is evaluated from the top down<br />
• The first rule that matches the traffic is used<br />
• No further rules are evaluated after the match<br />
• When configuring a security to allow an application through the firewall, the service field<br />
should be set to “application-default” for inbound services. That will restrict the<br />
application to only use its standard ports (example: DNS will be restricted to only use port<br />
53). It is a best practice to configure application-default or an explicit port(s) for increased<br />
control of the communication on the network<br />
• Note that intra-zone traffic is allowed by default<br />
• If you create a rule at the end of the list that says to deny (and log) all traffic, that will<br />
block intra-zone traffic (which may not be your intention)<br />
Page 18 |
Scheduling Security Policies<br />
• Policies can be scheduled to occur at particular times of day, or be a one-time<br />
occurrence<br />
• Schedules are defined under Objects tab-> Schedules<br />
Once defined, these Schedules can be reused across multiple rules<br />
• Possible schedule choices:<br />
• Schedules are assigned under Policies tab -> Security Policy-> Options column<br />
Page 19 |
Blocking Skype<br />
• The skype application is classified on the PAN device as two separate<br />
applications: skype-probe and skype.<br />
• In general, think of the skype-probe application as the control channel,<br />
and “skype” application as the data channel.<br />
• Since skype is so evasive, the way you prevent skype from sending or<br />
receiving voice or video is by allowing skype-probe, but blocking<br />
skype.<br />
• This forces skype to use a communication that is easy to predict and<br />
block via App-ID<br />
Page 20 |
Monitoring Traffic<br />
• The default traffic log behavior is to log all at session close. On a per-rule basis,<br />
the functionality logging at session start/session end can be selectively toggled or<br />
disabled completely<br />
• Traffic log can be viewed under Monitor tab -> Logs -> Traffic.<br />
• The application that was detected is shown in the log.<br />
• Filters can be created, using a syntax similar to Wireshark<br />
Page 21 |<br />
- Here is an example where you are viewing all traffic between 1.2.3.4 and 3.3.3.11:
Monitoring Traffic (2)<br />
Special Application names are used to define traffic not explicitly identified by App-ID.<br />
These application will be displayed in the Traffic log as follows:<br />
• “incomplete”<br />
- SYN or SYN-SYNACK-ACK is seen, but no data packets are seen<br />
• “insufficient-data” means that either:<br />
- The firewall didn’t see the complete TCP 3-way handshake, or<br />
- There were no data packets exchanged after the handshake<br />
• “unknown-tcp”<br />
- Application consists of unknown tcp traffic.<br />
• “unknown-udp”<br />
- Application consists of unknown udp trafic.<br />
• “unknown-p2p”<br />
- Application matches generic p2p heuristics<br />
• “not-applicable”<br />
Page 22 |<br />
- Session is blocked by the firewall
Log Forwarding<br />
• The logs on the firewall can be forwarded to multiple locations. Upon<br />
generation of a log message, that message can be immediately<br />
forwarded to:<br />
- Syslog server<br />
- SNMP manager<br />
- Email<br />
- Panorama<br />
• You configure the log message destination via a Log Forwarding<br />
Profile:<br />
Page 23 |
Unknown Applications<br />
• Scenario: a network has a particular application that runs on a specific<br />
port, yet the <strong>Palo</strong> <strong>Alto</strong> firewall identifies it as “unknown-tcp” or<br />
“unknown-udp”<br />
• To configure the firewall to identify this app, you will need to do three<br />
things:<br />
Page 24 |<br />
1. Create a new application<br />
2. Create an application override policy<br />
3. Make sure there is a security policy that permits the traffic
Steps to Define a New Application<br />
1. Objects -> Applications, click New<br />
- Specify the application name and properties<br />
- On advanced tab, enter the port number that uniquely identifies the app<br />
- Nothing else required, click ok<br />
2. Policies -> Application Override-> Add Rule<br />
- Specify port number<br />
- Config application to be<br />
the one you just created<br />
3. Policies -> Security -> Add Rule<br />
- Configure as appropriate: src zone/dest zone/src addr/dest addr/src user<br />
- Select the new app in the application column<br />
- For service, select “application default”<br />
- Select the action you want (permit/deny)<br />
4. Commit<br />
Page 25 |
More on Unknown Applications<br />
• App override policies are checked before security policies. The app<br />
override policy will be used in place of our App-ID engine to identify the<br />
traffic.<br />
• Security profiles CANNOT be assigned to Application Override<br />
policies. Application Override policies bypass the Signature Match<br />
Engine entirely, which means that this also eliminates the option of<br />
performing Content-ID on this traffic. Because of this fact, the<br />
Application Override feature should be used with internal traffic only.<br />
• The solution on the previous page is a short-term solution. If the<br />
application is a common-use application, it is recommended that the<br />
customer submit pcaps of the application to <strong>Palo</strong> <strong>Alto</strong> Support. Then<br />
our engineering team can create a new signature for the particular app.<br />
Page 26 |
Source Address Translation<br />
• NAT rules are in a separate rulebase than the security policies.<br />
• <strong>Palo</strong> <strong>Alto</strong> firewall can perform source address translation and destination address translation.<br />
• Shown below is the NAT rule as well as the security rule to perform source translation<br />
• See powerpoint notes below for more info<br />
Page 27 |<br />
SA DA SP DP<br />
10.1.1.47 4.2.2.2 43778 80<br />
• Post NAT: From L3-trust -> L3-untrust<br />
• Pre NAT: From L3-trust -> L3-untrust<br />
SA DA SP DP<br />
64.3.1.22 4.2.2.2 1031 80
Destination Address Translation<br />
See powerpoint notes below for description<br />
Page 28 |<br />
SA DA SP DP<br />
12.67.5.2 6<strong>4.1</strong>0.11.103 5467 80<br />
Notice the destination zone is the same as the source zone<br />
• Post NAT: From L3-untrust -> L3-trust<br />
• Pre NAT: From L3-untrust -> L3-untrust<br />
SA DA SP DP<br />
12.67.5.2 192.168.10.100 5467 80<br />
Notice the destination zone is based upon the post-NAT address
Security Profiles<br />
• Security Profiles look for malicious use of allowed applications<br />
• Security Policies define which applications are allowed<br />
• Profiles are applied to policies that allow traffic<br />
Page 29 |
Using Security Profiles<br />
• The profile used for traffic is based on the policy that allows the traffic<br />
• <strong>Exam</strong>ple:<br />
• Open Twitter: Student users, no URL filtering profile<br />
• Limited Twitter: All other users, URL filtering to specific twitter URL’s<br />
Page 30 |
Anti-Virus Profiles<br />
Page 31 |<br />
• A decoder is a software<br />
process on the firewall<br />
that interprets the<br />
protocol.<br />
• In the antivirus and<br />
anti-spyware security<br />
profiles, you can<br />
specify actions based<br />
upon the 6 main<br />
decoders in the system,<br />
shown to the left.
Configuring Exceptions<br />
• If you have a threat or virus that you do not want to be detected, you can configure an<br />
exception<br />
• Two ways to configure an exception:<br />
Page 32 |<br />
1. On the security profile, go to the exceptions tab, enter the threat ID there:<br />
2. In the threat log, click on the threat or virus name. In the pop-up window, next to<br />
exceptions, click “show”, then select the profile to add the exception to.
Email Protocols and AV/Spyware Protection<br />
• If a <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> firewall detects a virus or spyware in SMTP,<br />
a 541 response is sent to the sending SMTP server to indicate that<br />
the message was rejected. This allows the <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong><br />
firewall to effectively block viruses distributed over SMTP.<br />
• For POP3/IMAP, the only action the <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> device can<br />
will ever take is “alert”. The device will never block or drop for these<br />
protocols, even if you configure an action of “block”.<br />
• The reason for this is because POP3/IMAP protocols will continue to<br />
resend the email message again and again if an intermediate device<br />
tries to close the session. This is a limitation of the POP3/IMAP<br />
protocols.<br />
Page 33 |
Vulnerability Protection<br />
• Provides IPS functionality<br />
• Detects attempts to use known exploits on the network<br />
Page 34 |
Custom Response Pages<br />
• Response pages are configured under Device tab -><br />
Response pages<br />
• You can externally edit and upload those response pages<br />
to the device<br />
• Only the html file can be uploaded to the device, images<br />
cannot be uploaded<br />
• Response pages are displayed in the web browser only<br />
and pertain only to web-based applications<br />
- Thus if a threat is detected during say a BitTorrent session, the<br />
response page will not appear<br />
• Response Pages for web-based applications are not<br />
enabled by default<br />
Page 35 |
Disable Server Response Inspection<br />
• The vulnerability protection<br />
profile by default scans traffic<br />
going in both directions (from<br />
client to server, and from<br />
server to client)<br />
• Most IPSs only examine the<br />
traffic from the client to<br />
server.<br />
• The way to examine traffic<br />
from only client to server on<br />
the <strong>Palo</strong> <strong>Alto</strong> firewall is to<br />
check the box to “disable<br />
server response inspection”<br />
on the security policy<br />
(options column).<br />
Page 36 |
URL Filtering Profile<br />
• Actions can be defined<br />
for each category<br />
• Notification page for user<br />
can be customized<br />
• Allow List and Block List<br />
accept wild cards<br />
- To specify all servers in a<br />
domain called xyz.org, two<br />
entries must be created:<br />
Ø xyz.org<br />
Ø *.xyz.org<br />
• Upon URL license<br />
expiration, URL database<br />
is no longer used; traffic<br />
is allowed or blocked<br />
based upon the “action<br />
on license expiration”<br />
field shown here.<br />
Page 37 |
URL Filtering Actions<br />
• Allow – Traffic is passed, no log generated<br />
• Block – Traffic is blocked. Block log generated<br />
• Alert – Traffic is allowed. Allow log generated<br />
• Continue – User is warned that the site is questionable. Block-<br />
Continue log generated<br />
- If user clicks through the traffic is allowed and a Continue log is<br />
generated<br />
• Override – Traffic is blocked. User is offered chance to enter override<br />
password. Block-Override log generated<br />
Page 38 |<br />
- If user enters password the traffic is allowed and an Override log is<br />
generated
Default Block Pages<br />
Page 39 |
Misc. URL Filtering Topics<br />
• Order of checking within a profile:<br />
1. Block list<br />
2. Allow list<br />
3. Custom Categories<br />
4. Cached<br />
5. Pre-defined categories<br />
• “Dynamic URL filtering”<br />
- Can be enabled on each URL filtering profile<br />
- If enabled, the PA device will query the cloud to resolve URLs that<br />
are not categorized by the on-box URL database<br />
• To determine the category of an URL from the CLI:<br />
Page 40 |<br />
- test url
Data Filtering Overview<br />
• Scan traffic for potentially sensitive strings of data<br />
- Data strings defined by regular expressions<br />
- Data pattern must be at least 7 bytes in length<br />
- Default strings are defined for SSN and credit card numbers<br />
• Each data string is assigned a weight<br />
• Alert threshold and block threshold is based upon weights<br />
Page 41 |
Data Filtering <strong>Exam</strong>ple<br />
Credit Card Weight = 1<br />
SSN Weight = 2<br />
Alert Threshold = 4<br />
Block Threshold = 8<br />
Page 42 |<br />
(4)<br />
(1)<br />
(3)<br />
+<br />
Single<br />
Session<br />
Count =1<br />
+<br />
Count =4<br />
Alert<br />
+ +<br />
Count =8<br />
Block
Data Filtering Password Setup<br />
• PCAPs on data filters require a password to be configured prior<br />
- Single password for firewall, stored locally, configured on Device<br />
tab-> Setup screen<br />
• See PowerPoint notes below for more info<br />
Page 43 |
Zone Protection<br />
• For each security zone, you can define a zone protection profile that specifies<br />
how the security gateway responds to attacks from that zone.<br />
• The same profile can be assigned to multiple zones.<br />
• The following types of protection are supported:<br />
- Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based<br />
flooding attacks.<br />
- Reconnaissance detection—Allows you to detect and block commonly used<br />
port scans and IP address sweeps that attackers run to find potential attack<br />
targets.<br />
- Packet-based attack protection—Protects against large ICMP packets and<br />
ICMP fragment attacks.<br />
• Configured under Network tab -> Network Profiles -> Zone protection<br />
Page 44 |
WildFire<br />
• WildFire relies upon two main technologies: a virtual sandbox environment and<br />
a malware signature generator<br />
• WildFire is enabled via the “Forward” and “Continue-and-Forward” file-blocking<br />
actions<br />
Page 45 |<br />
• Wildfire<br />
Cloud<br />
Files<br />
Signatures<br />
File<br />
Submission<br />
Comparer<br />
Automated<br />
Signature<br />
Generator<br />
Virtual Test<br />
Environment<br />
Admin Web<br />
Portal
WildFire<br />
• Provides a virtual sandbox environment for Windows PE files<br />
• A hash of each file is sent to the WildFire cloud. If no existing signature exists, the<br />
file is uploaded. The new signature will be made available as part of the next AV<br />
Update<br />
• Files up to 10 MB in size can be manually uploaded to the WildFire portal for<br />
inspection<br />
Page 46 |
Packet Flow<br />
• Refer to this document on the packet flow in PAN-OS:<br />
PANOS Packet Flow.pdf<br />
• Have a general understanding of how packet are<br />
processed by the <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> firewall<br />
Page 47 |<br />
- Determine which of the following is checked first: NAT rules,<br />
security rules, PBF rules, app-ID<br />
- Prior to the session being established, a forward lookup is<br />
performed to determine what the post-NATed zone will be.<br />
- The packet flow process is intrinsically tied to the Single Pass<br />
Parallel Processing (SP3) hardware architecture of the <strong>Palo</strong> <strong>Alto</strong><br />
<strong>Networks</strong> next-generation firewall.<br />
- Applications are identified once a session is created on an allowed<br />
port.
Role-based Administration<br />
• Administrators can be given rights using the built in options or by<br />
creating new administrative roles<br />
• There are 6 pre-defined administrator roles:<br />
- Superuser – All access to all options of all virtual systems.<br />
- Superuser (read-only)<br />
- Device Admin – Full access to the device except for creation of<br />
virtual systems and administrative accounts.<br />
- Device admin (read-only)<br />
- Vsys Admin – Full access to a specific virtual system.<br />
- Vsys admin (read-only)<br />
• To provide a more granular level of control, additional roles can be<br />
created.<br />
Page 48 |
User-ID: Enterprise Directory Integration<br />
• Users no longer defined solely by IP address<br />
Page 49 |<br />
- Leverage existing Active Directory or LDAP infrastructure without complex agent rollout<br />
- Identify Citrix users and tie policies to user and group, not just the IP address<br />
• Understand user application and threat behavior based on actual<br />
username, not just IP<br />
• Manage and enforce policy based on user and/or AD group<br />
• Investigate security incidents, generate custom reports
Where are Usernames Used?<br />
1. Stored in Logs<br />
• Sort log data by User / Group<br />
• Filter logs by User<br />
2. As a Value to Match in Security Policy<br />
• Control application use by group<br />
• Separate unknown user traffic from known user traffic<br />
3. In URL-Filtering Response pages, User Name will be displayed<br />
Page 50 |
User-ID Agent Setup and Upgrade Procedure<br />
One agent is used for all directory services (AD,<br />
LDAP, eDirectory)<br />
• The agent setup process is outlined here:<br />
Tech Note - PAN User-ID Agent install steps.pdf<br />
• The most recent version of User-ID agent should always be<br />
used. PAN-OS will auto-detect the agent version and change<br />
it’s behavior accordingly. The best practices when<br />
implementing the agent are outlined here:<br />
Tech Note - User Identification Best Practises PANOS <strong>4.1</strong>.pdf<br />
• When upgrading from a previous agent version to the <strong>4.1</strong><br />
User-ID agent, use the following procedure:<br />
Tech Note - User-ID_Upgrade_<strong>4.1</strong>.pdf<br />
The User-ID API can be employed when connectivity to<br />
another identity management system is required
Installing the User-ID agent<br />
• For detailed instructions on the operation of the User-ID Agent, read this<br />
document in detail: User-Identification-Operations-4.0.pdf<br />
• Note that a best practice would be to install two User-ID Agents for each<br />
domain in the forest (for redundancy)<br />
• In addition to mapping IP addresses, the User-ID agent can also act as<br />
an LDAP proxy, to assist in the enumeration process. This behavior is<br />
enabled through the selection of the “Use as LDAP Proxy” checkbox:<br />
• Don’t forget to enable user-ID in the zone which<br />
contains the users!<br />
Page 52 |
Terminal Server Agent<br />
• Runs on the Terminal or Citrix Metaframe server<br />
• TS Agent modifies the client port number from each user<br />
• Firewall tracks user by source port, not by IP address<br />
Page 53 |<br />
User A<br />
User B<br />
• User A gets ports<br />
20400 - 20800<br />
Terminal Server<br />
with TS Agent<br />
Internet
Captive Portal<br />
• Captive portal is a feature of the <strong>Palo</strong> <strong>Alto</strong> <strong>Networks</strong> firewall that<br />
authenticates users via an alternate source, such as a RADIUS server.<br />
• Use captive portal when:<br />
Page 54 |<br />
- You have Windows users that are not logging into the AD domain<br />
Ø Authentication can be transparent if using NTLM authentication<br />
- You have Mac or Unix workstations<br />
Ø Users will see a login prompt<br />
Ø Users using captive portal without<br />
transparent NTLM authentication<br />
can be authenticated against RADIUS,<br />
Kerberos, LDAP, AD, or the local firewall.<br />
- You wish to invoke user identification<br />
for users that were not identified via one of the other user identification<br />
methods<br />
• Once users authenticate with the firewall, user-based policies can be<br />
applied to the user’s traffic.
Captive Portal (2)<br />
• How to configure Captive Portal:<br />
Tech Note - Captive Portal Transparent vs Redirect mode v3.1.pdf<br />
Tech Note - How to configure Captive Portal in PANOS 3.1.x L3.pdf<br />
Tech Note - How to Configure Captive Portal in PANOS 3.1.x Vwire.pdf<br />
• A portion of this doc references certificate authentication;<br />
certificates are available with PAN-OS 4.0 or higher. The<br />
rest of the doc is applicable to PAN-OS 3.1<br />
- Captive Portal NTLM authentication requires the User ID Agent to be<br />
installed. The User ID agent must have the “Use for NTLM<br />
Authentication” checkbox selected.<br />
Page 55 |
Implementation of IPSec in PAN-OS<br />
• PAN-OS implements route-based site to site IPSec VPN’s<br />
- No IPSec client software available (use SSL VPN instead)<br />
• The destination of the traffic determines if a VPN is required<br />
• The tunnel is represented by a logical tunnel interface<br />
- One tunnel interface can support 10 IPSec tunnels<br />
• The routing table chooses the tunnel to use<br />
• 192.168.10.0/24<br />
Page 56 |<br />
• 2<strong>4.1</strong>.1.12<br />
Routing Table<br />
10.2.0.0/24 -> Tunnel.<br />
1<br />
Tunnel.1<br />
Peer:<br />
161.10.12.64<br />
• IP Sec Tunnel<br />
• 161.10.12.64<br />
• 10.2.0.0/24
Steps to Configure an IPSec site-to-site VPN<br />
1. Create a tunnel interface<br />
- Under the <strong>Networks</strong> tab-> Interfaces-> New Tunnel Interface<br />
- Assign it to a L3 Zone and a Virtual Router<br />
2. Configure the IPSec Tunnel<br />
- Under <strong>Networks</strong> tab, IP Sec Tunnel<br />
- If site to site with another PAN-OS device use simple configuration<br />
- Set advanced options if required<br />
3. Add static route to the appropriate Virtual Router or enable dynamic<br />
routing protocol<br />
- Under <strong>Networks</strong> tab, Virtual Router<br />
- Create a route for the remote private network using the tunnel interface<br />
Dynamic routing protocols will traverse the tunnel if you assign a static IP<br />
to the tunnel interface<br />
Page 57 |
Notes about IPSec site-to-site VPNs<br />
• Possible IKE phase 1 authentication methods:<br />
- Pre-shared key only<br />
• It is possible to configure multiple phase 2 IP IPSec tunnels to use the<br />
same phase 1 gateway, as long as each phase 2 config uses different<br />
proxy IDs on that same tunnel interface.<br />
• You can attempt to bring up all ipsec tunnels on the device via:<br />
test vpn ipsec-sa <br />
• How-to configure IPSec VPNs:<br />
Tech Note - How to configure site2site IPSec 4.0.pdf<br />
• There are two docs, read the one titled “How to Configure an IPSec VPN”<br />
Page 58 |<br />
- There are a number of questions on IPsec, you should definitely follow this doc to<br />
configure a tunnel.
GlobalProtect - SSL VPN<br />
• PAN-OS supports not only IPSec site-to-site VPNs, but SSL VPNs. SSL VPN’s<br />
are provided via the GlobalProtect agent<br />
• The GlobalProtect agent will run on Win32/Win64 and OS X 32-bit/64-bit clients<br />
• The native VPN client on Apple iOS devices is officially supported via XAuth<br />
• Interface types that can be used for the SSL VPN portal:<br />
- L3 interface<br />
- Loopback interface<br />
• Prior to PAN-OS <strong>4.1</strong> NetConnect was the VPN client employed for SSL VPN’s.<br />
To migrate NetConnect to GlobalProtect, follow this procedure:<br />
Tech Note - NC to GP Migration.pdf<br />
• GlobalProtect can be installed as a basic Ipsec/SSL VPN or configured to make<br />
use of HIP profiles and HIP matches. Quickstart GlobalProtect guide:<br />
Quick Start Guide Global Protect ver2.pdf<br />
Page 59 |
SSL VPN Client Configuration Screen<br />
Page 60 |
SSL Decryption<br />
• The <strong>Palo</strong> <strong>Alto</strong> firewall can perform SSL decryption on connections that<br />
are initiated inbound or outbound, so that the traffic can be inspected<br />
for threats or restricted apps<br />
• Inbound decryption:<br />
- Use when you want to intercept and decrypt users traffic coming<br />
from the Internet to your DMZ servers<br />
- You must load onto the firewall the same certificates that are on<br />
your DMZ servers<br />
• Outbound decryption:<br />
Page 61 |<br />
- Use when you want to decrypt users traffic coming from the internal<br />
network and going to the external network<br />
- You need to have a PKI infrastructure in place for this to be<br />
transparent to the user<br />
- This is referred to as “forward-proxy”
Configuring SSL Inbound Decryption Certificate<br />
• All certificates on the device (inbound/outbound/admin UI/etc) are<br />
centrally managed under the “Certificates” node on the “Device” tab<br />
• You can add edit a certificate to establish it as an SSL inbound<br />
certificate. You should create one certificate for each DMZ server<br />
that you will be decrypting traffic for<br />
• You can establish different SSL inbound certificates for different<br />
inbound SSL decryption rules.<br />
Page 62 |
Configuring SSL Outbound Decryption Certificate<br />
• You can either generate a self-signed certificate (good for testing purposes),<br />
or import a certificate from your company’s certificate server.<br />
• In order to prevent users from seeing a browser certificate error, it is<br />
recommended that you have a PKI infrastructure deployed in your<br />
organization. Therefore you will be able to import into the firewall a certificate<br />
that is trusted by the users’ browsers.<br />
• When no internal PKI infrastructure is available, it is possible to distribute the<br />
firewall CA certificate to clients e.g. using Group Policy Objects functionality<br />
in Active Directory.<br />
Page 63 |
Configuring SSL Inbound or Outbound Policies<br />
Once the appropriate certificates are imported/created, SSL Decryption<br />
policies can be created. For either inbound or outbound decryption, the<br />
policies are configured under Policies tab -> SSL Decryption.<br />
Page 64 |<br />
- For inbound decryption, add a rule that looks like the following. This<br />
will decrypt traffic from the Internet to the public web server.<br />
- For outbound decryption, and add two new rules that look like this:<br />
Ø The first rule will not decrypt any traffic going to the URL<br />
categories of finance, health, and shopping.<br />
Ø The second rule will decrypt (proxy) all other connections. Make<br />
sure to choose action “decrypt” on the second rule
Misc. SSL Decryption<br />
• When SSL is decrypted, the app running inside the SSL<br />
session will appear in the traffic log. For example:<br />
- https://facebook.com, SSL decryption NOT enabled, traffic log will<br />
show application is SSL<br />
- https://facebook.com, SSL decryption enabled, traffic log will show<br />
application is facebook<br />
• The firewall will NOT send a response page for a virus<br />
detected with decrypted SSL traffic<br />
Page 65 |
High Availability: Active/Passive<br />
• 2 unit cluster provides Stateful synchronization<br />
• HA 1 syncs certificates, response pages, and configuration<br />
- Communications can be encrypted by swapping the HA keys on both firewalls<br />
• HA 2 syncs are Stateful session information between both devices<br />
• Split-brain, in which both firewalls are attempting to take control as the<br />
Active device, can be controlled by enabling HA1 backup and/or<br />
enabling Heartbeat backup<br />
Primary Path<br />
Secondary Path<br />
Page 66 |<br />
Config<br />
State
HA Failure States<br />
• Link Failure<br />
- One or more physical links<br />
go down<br />
• Path Failure<br />
- IP Address connectivity<br />
• Combinations<br />
Page 67 |<br />
- Multiple possible failure<br />
states
High Availability: Active/Active<br />
• Requires a Group ID to uniquely identify both Devices within an<br />
HA Cluster<br />
• Requires the selection of Active Active mode<br />
• Requires the “Enable Config Sync” checkbox to be selected<br />
Page 68 |<br />
Cluster<br />
(Group) ID<br />
Device ID<br />
0 or 1<br />
HA1 link
Active/Active | HA3 interface<br />
• A third HA interface is required for Active/Active HA. This interface<br />
provides Packet forwarding for Session Setup and L7 processing<br />
(App-ID and Content-ID) in asymmetrically-routed environments<br />
If enabled, Zone,<br />
Routing, and VR<br />
configuration sync’d<br />
“IP Module”, “Primary<br />
Device” or “IP Hash”<br />
If unchecked, this will<br />
be an Active/Passive<br />
configuration<br />
If disabled, no virtual<br />
IP shared between<br />
firewalls
Misc HA<br />
• How to configure Active/Passive HA in PAN-OS 4.x:<br />
Tech Note - HA Active Passive 4.0.pdf<br />
• How to configure Active/Active HA in PAN-OS 4.x:<br />
Tech Note - HA Active Active 4.0.pdf<br />
• HA failover can be triggered by the following three mechanisms:<br />
- Link failure<br />
- Path failure<br />
- Heartbeat loss<br />
• Command to view the HA settings/status:<br />
- show high-availability state<br />
• Upgrading a PAN-OS 3.1 HA cluster to PAN-OS 4.0<br />
https://live.paloaltonetworks.com/docs/DOC-1751<br />
• If Pre-emptive mode is enabled, the firewall with the lowest priority setting<br />
will become master. Pre-emptive mode must be enabled on both firewalls.<br />
Page 70 |
Panorama<br />
• Central source to view log / report data, as well as to centrally manage the firewalls<br />
• Virtual Appliance (on Vmware)<br />
• Supports shared policies<br />
• Connects to firewall using SSL<br />
• Panorama is sold separately from the firewalls in 25/100/1000 license versions (licensed by firewall,<br />
not by virtual system)<br />
• Firewalls are managed in Device Groups. Pre and post policies are pushed to Device Groups by<br />
selecting the appropriate Device Group/s as a “Target” when creating new rules within Panorama<br />
Page 71 |
Panorama GUI<br />
• Uses similar GUI as devices<br />
• “Panorama” tab provides management options for<br />
Panorama<br />
Page 72 |
Adding Devices to Panorama<br />
Page 73 |
Shared Policy<br />
• Rules can be added before or after device rules<br />
Page 74 |<br />
- Called pre-rules and post-rules<br />
• Rules can be targeted to be installed on specific devices
View and Commit<br />
You can view a combined policy for any device<br />
You can push policy changes via<br />
Panorama managed devices screen<br />
Page 75 |
Additional Notes on Panorama<br />
• The firewall uses the config on the device itself. Panorama<br />
can store a backup copy of each firewall’s config.<br />
• The only thing that affects each firewall’s config are the<br />
pre-rules and post-rules.<br />
• When you make a change locally on the firewall, and that<br />
device is being managed by Panorama, you do NOT need<br />
to re-import the device, or synchronize the config between<br />
panorama and the firewall. The pre and post rules are still<br />
maintained on the firewall.<br />
• The connection between a firewall and Panorama can be<br />
severed by selecting the “Disable Shared Config” option on<br />
the firewalls’ Device tab.<br />
Page 76 |
Topics that have minimal or no questions<br />
• Dynamic routing<br />
• QoS<br />
• Policy-based forwarding<br />
• CLI commands (there will be questions testing the ability to<br />
read CLI command output, but not the commands<br />
themselves)<br />
Page 77 |